Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Encryption Security Your Rights Online

US Relaxes Crypto Regulations 69

Guru Meditation writes "CNN reports in an article that Clinton has decided to relax the export restrictions on crypto products, both hardware and software. " The Washington Post also has some good coverage of this. As part of the deal, the FBI will get funds to create a new "code cracker" unit. The Administration, however, did drop the proposal to require backdoor entrance for the government. The new regulations will allow selling to virtually any country, with a few exceptions for nations deemed a national security threat.
This discussion has been archived. No new comments can be posted.

US Relaxes Crypto Regulations

Comments Filter:
  • by Anonymous Coward
    The new regulations are not as good as they seem. True, it will no longer be necessary to get government approval for each instance of an export, but the producer of a product must still register the product with the government. That's OK for Microsoft or RSA, but I don't think it works for open-source software. Note also that the announcement of the new regulations appears to be a move by the administratin to head off SAFE. The administration still claims that SAFE would compromise national security and would therefore be vetoed. Write your congressman and tell him to vote for SAFE.
  • by Gleef ( 86 ) on Thursday September 16, 1999 @11:19PM (#1677614) Homepage
    Here is the actual whitehouse briefing [whitehouse.gov]. The articles had no info on online or free software distribution, because the press release had no information. Our media has gotten so absurdly lazy, they don't bother to inquire about anything.

    It would be good if someone could find an online copy of the actual Executive Order.

    ----
  • The law enforcement folks probably struck some kind of deal they're not telling us about yet -- something they'll sneak in added to a bill like "The Baby Seal Protection Act" which will allow them to continue treating us like residents in a police state.

    Or maybe I'm just a bit cynical about our government *ever* giving an inch and letting US citizens have rights...

    ----

  • >..but why create a new unit under the FBI, when the NSA probably has significant numbers of
    >mathematicians and computer scientists, and the clock cycles to help 'em?

    Be afraid.

    The FBI is chartered for domestic survailance. The NSA is not. This new unit is to spy on you.

    ----

  • Whether the NSA/FBI/... are now giving in because they have found a new trick is "interesting speculation", but not all that relevant in practice. Even if it is true, nothing changes for users of "exportable" encryption software when dealing with the NSA: the NSA was able to break such crypto before, and it still is. What's more, nothing much should change for users who distrust the NSA and use stronger crypto either: based on their distrust and assumption that the NSA already had a secret trick up their sleeves, they will (should) already have opted for stuff that is a lot harder to break anyway.

    What is relevant in practice, is that one can now export (i.e. use) stronger crypto that (for the time being) only the likes of NSA, but not Joe Random Cracker, would be able to break.

    Notice that I'm not saying "so what". All I'm saying is that the important thing is that it's a move in the right direction, whatever reason made it possible.

    --

  • We still need to keep an eye out, to make sure that some elements of the administration don't try to sneak in some kind of compromise (escrowed keys, for instance).


    ...phil
  • RSA does not hold a patent on DES. DH key exchange, yes.


    ...phil
  • Yes, it has been OK to import strong encryption. I suppose that if it is a munition, then it falls under our right to keep and bear arms... :-)

    Seriously, this has always been confusing to people. You have been able to import an encryption product into the US from country B, and then not export the exact same encryption product back to country B.

  • by substrate ( 2628 ) on Thursday September 16, 1999 @10:45PM (#1677621)
    For the NSA to get involved in certain actions would be beyond the scope of their charter, it'd be illegal. The purpose of the NSA (pilfered from the NSA web page) is


    The National Security Agency is the Nation's cryptologic
    organization.
    It coordinates, directs, and performs highly specialized
    activities to protect U.S. information systems and produce foreign
    intelligence information. A high technology organization, NSA is on the
    frontiers of communications and data processing. It is also one of the
    most important centers of foreign language analysis and research within
    the Government.


    The FBI's charter however is:



    The Mission of the FBI is to uphold the law through the investigation of violations of
    federal criminal law; to protect the United States from foreign intelligence and
    terrorist activities; to provide leadership and law enforcement assistance to federal,
    state, local, and international agencies; and to perform these responsibilities in a
    manner that is responsive to the needs of the public and is faithful to the Constitution
    of the United States.


    The NSA's goal is to provide signal intelligence from foreign sources while the FBI's goal is uphold federal law and protect the US against foreign threats. They can be a consumer of information from the NSA if it relates to protecting us from foreign threats but not for residents breaking federal law.

    If I'm forced to have an orginization trying to spy on my signals I'd rather have the FBI do it, they won't have near the resources of the NSA (the worlds leading employer of mathematicians). To reduce the chances of me being spyed on I avoid breaking any federal laws.
  • Three things to consider: First, this policy still requires a review before cryptogoodies can be exported. It does not specify that every product that is reviewsed will pass. They may very well approve web browsers and NT while not approving PGP, encrypted file systems or IPSec implementations.

    Second, the text of the bill indicates that software designed for end-users will be more readily approved. This indicates a bias against products that will protect whole networks and provide a secure infrastructure; insuring that secure communications will remain the exception rather than the default.

    Third, the timing of this decree is obviously designed to kill the SAFE bill. The SAFE bill not only goes further in liberating crypto exports, but also carries the force of law. Repealing a law is a large affair, requiring a vote of congress and thus allowing the public time to lobby, cuss and complain. This decree does not dismantle the export regs, and they can be tightened to previous standards with a stroke of a pen and no opportunity for public comment.

    Do not let this kill SAFE! Lobby your congresscritter!

  • by Mawbid ( 3993 ) on Thursday September 16, 1999 @10:41PM (#1677623)
    are very interesting:
    White House spokeswoman Nanda Chitre said the move, which was announced Thursday, affected software and hardware and was intended to benefit the economy, preserve privacy, serve the national security interest and protect law enforcement capabilities.

    "Serving the national security interest" and "protecting law enforcement capabilities" were apparently not the reasons for restricting export in the first place. We have always been at war with Eurasia.
    --

  • None of the articles said what this really means.

    Will they rise the bar by a couple bits or do we get to 128? Any restrictions on the kinds of software?

    Also, how does this go with the Wassenaar contract? Is it that now that Wassenaar went through, US can happily rely on other countries living with no exporting due to the contract. So, in essence, does this mean the White House is saying the contract doesn't apply to US anymore? Looking at the past where everyone else could export and US companies couldn't, the situation has now been completely reversed. Smart tactics from the US government.
  • As I speculated in another article, the reason might be the fact that now that the US has all other countries tied up with the Wassenaar contract, they have less competition in the marketplace. Without the restrictions they couldn't have passed the contract. Now with the contract in place, they can free up their own export regulations and let the US companies really grab the market.

    So, it's all just marketting tactics done by politicians. Money talks.
  • Now that's an interesting idea. :)

    Someone's really given thought on this one and still fails to understand that the misusers haven't and still won't do anything by the regulations nor tell of the use to third parties. The repositories will probably end up with a ton of keys from people who never have anything to say that'd require cryptography in the first place. :)

  • Warning !!! IANAL

    We seem to have a congress with two bridges to burn... How to tax the internet, and how secure can we allow the Internet to be. The real question for congress (if the realize it or not) is not how to tax the internet, but how to justify taxing the internet. Perhaps a combo bill would be powerful enough to ram right through lobby roadblocks.

    Some key points of such a bill.

    * No review or restriction of any crypto (up to X number of bits encryption.) Complete restriction after X.

    * Online transactions (when the consumer is physically located in the US) must be made by credit or debit card. Credit card/Debit card companies/banks will be responsible for extracting N% federal sales tax.

    Now congress can justify why American citizens should pay an internet tax. N-Y% (Y will likely go to kissing somones butt to make this thing pass.) of the internet tax can be spent on propping up agencies like the NSA an FBI so they can effectively brute force X level encription upon court order.

    This should work if you choose the correct numbers for N, X and Y.

    Whatever you push to the congress critters, remember keep it fair and simple.

  • by LizardKing ( 5245 ) on Thursday September 16, 1999 @10:22PM (#1677628)
    One thing that I never understood about the US crypto laws was this:

    Is it OK for a US citizen to *import* strong encryption?

    If the US laws state ony that crypto shouldn't be exported, then the law is becoming a bit of a non-issue. There arc plenty of good encryption algorithms and sopftware coming from outside the US, from places like Israel, etc.

    Perhaps this change of heart is to prevent other countries adopting draconian export licenses which would hinder US software houses. Of course, export laws will never hinder covert organisations who will use the best available crypto code regardless of laws ...

    Chris Wareham
  • Something that just occurred to me upon reading that the FBI is getting concessions, and recalling that Louis Freeh (the FBI director) has been so anti-crypto.

    The US government does not prohibit US citizens from using cryptography, no matter how strong, as far as I know. PGP and so on are just fine for US citizens to use. The government just doesn't allow their export.

    So, the crypto regulations that the US has are, in theory, supposed to prevent foreign interests from getting strong crypto. The regulations don't work, of course, but that's the motivation for them.

    The FBI is a domestic law-enforcement agency. Practically everybody it's supposed to be watching is already allowed to use crypto. The people who would benefit from the export regs (if they actually did anything) would be the CIA and the NSA, which monitor international communication.

    So, why is the FBI in a position to receive concessions when the export regs are relaxed? They shouldn't be in a position to benefit from the regulations in the first place!
  • by kuro5hin ( 8501 ) on Friday September 17, 1999 @12:04AM (#1677630) Homepage
    For the NSA to get involved in certain actions would be beyond the scope of their charter, it'd be illegal.

    The NSA doesn't officially have a charter. Or at least, if it does, you, I, and everyone else are not allowed to see it. The desription on the web page is filtered through some rose-colored glasses. NSA does not, and is not legeally required to, stick solely to foreign SIGINT. They tend to, because otherwise they piss off other US spy agencies, but they will do, and have done, whatever they feel is necessary, including domestic snooping on many occasions.

    In general, though, your conclusions are sensible. The FBI is not nearly as competent, so I'd much rather have them trying to decode my bomb plans, or laundry list, or whatever. :-)

    ----
    We all take pink lemonade for granted.

  • From here [infoworld.com]


    Few = 7


    Countries = Iran, Iraq, Libya, Syria,Sudan, North Korea and Cuba.
  • From Wired:

    "The court shall enter such orders and take such other action as may be necessary and appropriate to preserve the confidentiality of the technique used by the governmental entity," Section 2716 of the proposed Cyberspace Electronic Security Act says.

    This would mean that the feds could introduce evidence at a trial and not disclose how they obtained it. I think that is a very bad idea. What would prevent them from fabricating "incriminating evidence" and saying "we can't tell you where it came from, trust us". We already have the use of anonymous tips from non-existent sources as a basis for obtaining search warrants.

  • My main worry on such an about face is they may have made some sort of breakthru on cracking the codes thus making it irrelevant to them if they let us encrypt data. Maybe they are just giving the feds that extra cash to make it look like everything is normal. Arghh where is Mulder when you need him. :)
  • o yjoml oy jsd dp,yomh yp fp eoyj no;; v;omypmd jrsf nromh dvts,n;rf

    Hey! They're only giving Janet $80 million -- you've just wasted about $3 million of it, so she's only got $77 million left for other codes!

    And you misspelled dp,ryjom -- but that'll probably make it harder for her to decipher. :-)

  • The only people who should ever have been inconvenienced by the export regulations are U.S-based crypto sellers. U.S and non-U.S citizens have access to strong crypto anyway.

    U.S. citizens cannot contribute work to a cryptosystem that is distributed outside of the U.S. That is a good practical reason for objecting to crypto controls.

    But besides that, crypto laws are an area where we clearly need to be concerned about our eroding rights. I don't think there's any doubt that Freeh and Reno would be just as glad to see the use of strong crypto outlawed. For them to head off a law that would have eliminated most export controls, simply by throwing a tiny concession to the computing industry, would be a significant strategic victory. That is why we should be concerned about the effect of this move.
  • What we know so far:

    Few details have been released. The only official words on the subject seem to be yesterday's White House briefing, which is more like press release cheerleading than hard policy. The briefing was conducted by:

    • Deputy National Security Advisor Jim Steinberg,
    • Attorney General Janet Reno,
    • Deputy Secretary of Defense John Hamre,
    • Undersecretary of Commerce Bill Reinsch,
    • and Chief Counselor for Privacy at OMB Peter Swire.

    Reinsch's role in the briefing was mainly to answer procedural questions about Wassenaar and technical review. Swire spoke very briefly in support of the upcoming Cyberspace Electronic Security Act, and talked about how key escrow will make all our lives better.

    That leaves Steinberg, Reno and Hamre -- noted opponents of private crypto, all three -- to express their support for the Administration's decision to relax export controls.

    I smell a rat.

    As others have noticed, the closest thing to a firm commitment that has been made is that a "license exception" can be made for products that pass a "one-time technical review." The details of the technical review are not forthcoming: Secretary Daley says, "That will be developed over the next number of weeks." Nor do we know under what circumstances a license exception will be granted. This has all the earmarks of being all talk and no action.

    Maybe this is the most telling part of the briefing:

    Q: Would you consider this a relaxing of restrictions on encryption?
    Attorney General Reno: No.

    I am not getting my hopes up. The right thing for us to do is to contact our Congresscritters and make sure they understand that it is still important to pass SAFE -- maybe more than ever.


  • Also, this has relaxed the rules enough for big business to sell their stuff *reasonably* easy.

    Thus, there's a lot less incentive for big business to continue lobbying for total freedom.

    Now that big business is happy, what's the chance of this trend continuing any further?
  • Define few...
    Define national security threat...

    I don't believe this relaxation. You either restrict it, or you don't.
  • by Slimbob ( 35316 ) on Friday September 17, 1999 @12:46AM (#1677639)

    Slightly offtopic to the article, but relevant:

    One of the great things about electronic communication is that it gives the common man instant lobbying power.

    One of the greatest things Slashdot:YRO could do is to post a tool, or a permanent link to a tool, that lets you quickly and easily determine who represents you. I have occasionally seen posts with links to sites like Project Vote Smart [vote-smart.org] that provide this ability. More frequently I have seen posts where people have formatted excellent letters to send to your congressional representatives that address various issues (UCITA, Microsoft trial, etc.), but I still have to do a lot of rooting around to find out who my current representatives are.

    This process could all be streamlined right here on YRO, if there was some kind of simple tool (enter your ZIP, up pop the email addresses of everyone who represents you).

    There are a lot of intelligent opinions on Slashdot. We need to make them visible in the political arena.

  • No sooner is Microsoft's Freedom to Innovate Network founded than they get the government to relax the crypto export regulations.

    I just wish I had joined FIN so I could claim to be part of the group that made it happen [or at least claim to have made it happen].

    Can't wait until FIN finds a way to protect me from the internet boogey man.
  • by coyote-san ( 38515 ) on Friday September 17, 1999 @02:38AM (#1677641)
    As I understand the proposed changes,

    Microsoft will find it far easier to export W2K (which includes e&e Kerberos)

    My company *might* be able get an export license for a Kerberized Linux distribution. Or it might not, since my company is still at the "one person in the garage" stage. Red Hat wouldn't have this problem, but if the export license prohibited export of source code they're still dead in the water due to the GPL.

    Debian wouldn't have a snowball's chance in Redmond of being able to carry my (US) Kerberos packages on their pages.

    To me, this proposal is proof that "social engineering" isn't limited to crackers. This proposal will get industry lobbyists off the administration's back, and it gives them the perceived moral high ground on the Sunday morning talk shows. ("We've removed all but token obstacles to American businesses competing in the world market. Only drug running child pornography terrorists will be impacted, and We Don't Want To Help THEM, Do We?!")

    WE know that it also hurts us, but we also know that we're all a bunch of pinko communists. Just look at the "exposes" that appear on a regular basis.

    Finally, as others have pointed out Executive Orders can be rescended, often with no basis in reality. E.g., I'm still showing my passport to board domestic flights because TERRORISTS BLEW UP TWA 800. That theory has been discredited for years, but the EO that grew from it is still in effect. I would not be surprised if this EO blocked passage of SAFE, then in 6 months some crisis is manufactured which justifies slamming the door again. Naturally products with licenses (e.g., W2K) will be grandfathered.

  • Can anyone with better insight into this whole soap opera answer the question that is notably missing from the press coverage, namely what this means for open development and online publishing?

    I understand that is means companies like AOL, NA and co. can now get one license to export crypto products that would cover all shipments of the product, but it doesn't say anywhere that the regime will actually grant that license, or anything about the terms required. And while a company might be able to negoiate the terms with the american regime, that is completely out of the question for an open source effort, right? (I mean, they would still need to have it re-evaluated with every version).

    What about the proffessor who posted his crypto routines on his webpage? As I understand the new law, he might actually be able to do it, but only after applying for a license and being granted one. Wow, that is sooo much better.

    It seems to me that this is a bit out of touch with reality. It makes it clear how to export shrink wrapped crypto software, but how many of you bought your crypto software in a shrinkwrap anyways? The real issue is online, I couldn't care less if I will now start seeing american crypto products in stores here.

    Good for Microsoft though... (they can dump the whole key thing and include the crypto modules in NTs installation now - just in time when the PR damage has been done, how sweet :-) )

    -
    /. is like a steer's horns, a point here, a point there and a lot of bull in between.
  • by dkm ( 42942 )
    Well, the opponents relaxing imports have gotten their PR machines rolling. This BBC article doesn't say much other than reiterate the old terrorist and criminals argument. Same old BS. [bbc.co.uk]
  • Yeah. I read the wired article and had the same reaction you did. I thought I'd post the link since it is a very good article: http://www.wired.com/news/news/politics/story/2181 0.html [wired.com]
  • Heh - in other words, the government either has the technology or the keys to encryption algorithums - I don't think they would be that stupid.
  • by anticypher ( 48312 ) <[moc.liamg] [ta] [rehpycitna]> on Thursday September 16, 1999 @10:48PM (#1677646) Homepage
    I think the Clinton administration is just throwing the dog a bone on this one. They have eased up only slightly on large companies with existing export agreements on crypto previously approved for export. In the future, a company will have to go through an export review only once before being allowed to ship crypto inside of another product. There is clearly no mention of freeware or OSS products in these press releases.

    What this bill does not cover includes sales to any foreign government, military, or ISP. Those will still require a case-by-case review. Only products that meet the requirements for law-enforcement intercept will get this one time approval, so key-escrow and door-bell systems will quickly get the green light, others will have to slog through a years long process. They will still criminalize exports to "terrorist" countries, such as Cuba, but allow it to friendly nations like Columbia.

    Nobody gets to see the wording of this new policy until December, so it is hard to tell why Hamre and Reno are smiling at this announcement. I have a feeling there is nothing new here except a minor improvement for big companies in return for a drop-in-the-bucket US$80million for a dedicated cryptanalysis team for the FBI. Its just a PR move.

    For another slightly pessimistic view, go read this San Jose Merc article [sjmercury.com]. Given the track record of the administration, I really don't think they've suddenly given up the fight and want strong crypto everywhere.

    the AC

  • "The only person who'd be safe if the SAFE bill were to pass," Hamre said, "would be spies."
    WTF?
    Isn't that like saying, "If gun ownership is legal, only criminals will use guns"? What a bunch of crap...
    If the SAFE bill were to pass, the citizens would be another step closer to running the country, not the bloated, increasingly self-centered government. OK, I hope I'm not quite as paranoid as I sound, but it does appear the government doesn't care about the citizens any more, but rather focuses on giving itself more power.
  • That's the thing, we don't know...
    All they have said is that they will audit a product once instead of for every sale..
    It really isn't that much of a win for encryptation, for they can deny anything they want to be exported still.
    For instance, they can say that only only 56bit keys will be allowed, or only programs with backdoors, or whatever they darn well please. I'm still holding out for some REAL openness for encryptation.
  • Uh, which one are you referring to? Based on past actions I think there is room for debate.

  • I meant to add that the Bernstein case may blow this approach out of the water.

    Howard Owen hbo@egbok.com Everything's Gonna Be OK Consulting

  • The Bureau of Export Administration (BXA) has updated its encryption web site [doc.gov] to include information on the new policy. In the question and answer page [doc.gov] appears the following :


    8. Is source code allowed to be exported under a license exception or does this policy only authorize the export of encryption object code?

    Source code will continue to be reviewed under a case-by-case basis. This update will allow the global export of object code encryption software under a license exception.


    This confirms the fears of many posing here that OSS crypto is NOT covered under the new policy.
    They also had an item this morning that seemed to imply that they were still hoping for some sort of key escrow for law enforcement, but it has since been pulled.
    It should be interesting to see how contined restrictions on the export of crypto source code are rationalized. The stated reason source (and object) code was treated differently from printed matter in the past was that such code represented an encryption "device". Clearly this continued restriction on source code export is designed to hobble freely available packages such as SSH, PGP and GnuPG. Why? So that export of crypto can be confined to business entities that can be pressured to play ball with the Government. Paranoid rant? I don't think so.



    Howard Owen hbo@egbok.com Everything's Gonna Be OK Consulting

  • Besides the "party line", which I'm sure we'll hear plenty about, what's really going on? Why so sudden? Which of the following options have come to pass?

    1) NSA can factor prime numbers?
    2) NSA/FBI finally gave in after the finalists for AES (successor to DES which they can brute-force) were announced since they can crack them all (and PGP, and RSA, and elliptic curve)?
    3) The U.S. military has become so heavily dependent on TCP/IP that they need a secure infrastructure throughout the Internet.
    4) NSA has developed effective nano-mites which effectively render all encryption obsolete via a physical side-channel attack?
    5) Intel's microprocessor dominance is now assured. And the NSA has inserted a microcode hook (can you say, "mask technician?") in all Intel processors (cf Ken Thompson [acm.org], "A well installed microcode bug will be almost impossible to detect.")

    Reply with your speculative other options. Remember "only the paranoid survive."

    --LinuxParanoid
  • E-Commerce, may be the ticket, but this article from HotWired [wired.com] actually has, IMHO, the best and most intelligent explanation for all this hoopla.

    Read it, and go "ah-ha"!

  • That's debatable.

    First of all, I am not sure the Wassenaar agreement has anything to do with crypto. I thought it was more about intellectual property (but I may be wrong).

    Second, don't forget that some extremely good crypto has been issued from Europe and the rest of the world. For instance, IDEA (which is used by PGP) came from Switzerland. Another crypto proposal, which is currently under review as one of the possible US federal standard, issued from a group of researcher in the Netherlands. Some scandinavian firms, such as DataFellows which is from Finland (I think) already produce some pretty good crypto software, based on Blowfish and IDEA.

    There is a lot of money to be made, that's for sure. Which is certainly one of the reasons for this display of crypto love. But I don't think it's the only one.

    Then again, what do I know? =)
  • by Noryungi ( 70322 ) on Thursday September 16, 1999 @11:01PM (#1677655) Homepage Journal
    Rejoice, crypto friends! Strong encryption is now about to be legalized in the US... Or is it?

    Here is a quote that I like (from the Washington Post):

    Pressed to explain the turnabout, Reno and Hamre said their concerns were assuaged by the administration's pending introduction of legislation called the Cyberspace Electronic Security Act of 1999, which would give the FBI $80 million over the next four years to establish the new code-cracking unit.

    That's really interesting. Up until now, the NSA was not allowed by the law to conduct SIGINT (code-cracking) operations against US citizens. Now, this new law gives the FBI a spanking, brand new unit, specialised in... tada! code-cracking! I think this little outfit will be more like a joint-venture between NSA and FBI. It happened before -- but now it's going to be legit.

    Think about it for a second: who is the ultimate authority in code-cracking? NSA. Who has been playing the little game of crypto for the past 20+ years? NSA. Who has the brain- and CPU power to do some serious code-cracking? NSA. I can't believe, for more than 10 seconds, that this agency is going to just stand there and let the FBI have it its own way, especially since these people have been very cosy for a number of years now. Expect some interesting stories to surface in the near-future... I really expect the NSA to start spying on US citizens. Maybe not on a scale on a par with the "Echelon" project, but certainly a lot more often than what was the case previously.

    Another important question is: WHY NOW? Why accept a law these people have been fighting tooth and nail for the past 5 years?

    Is it because there really isn't any choice and crypto's Pandora box is open? It's possible. The rest of the world has been doing a great job creating strong crypto, despite (or because of) the silly US ban on export.

    Is it because NSA scientists would like to get fat stock options from new Silicon Valley start-ups? That's possible too. Some of these people are incredibly smart, and it must hurt to see so many bad code out there, while they are the cream of the crop, but can't talk because of the security involved. Expect plenty of little, unknown crypto companies to appear overnight if that's the case.

    Is it because the NSA has found a new way to factor prime number? That could also be the case... Imagine 2048 bits crypto cracked in 15 seconds flat and 4096 bits in half an hour, due to to some ultra-secret mathematical breakthrough. Why keep on playing the export control game? Just let crypto go free. NSA can read your e-mail anyway. Oh, and your SSL transactions as well. Of course, it's not going to publicize that fact.

    Yeah, I know. I *am* getting paranoid... =)

    But you have to admit this last scenario makes sense, all of a sudden. It certainly explain the change of heart of this ultra-secretive organization. And the fact that it makes Al "I invented the Internet" Gore looks good doesn't hurt, either.

    Just my $0.02...

  • ...but why create a new unit under the FBI, when the NSA probably has significant numbers of mathematicians and computer scientists, and the clock cycles to help 'em? Sounds like duplication of effort...
  • According to the Washington Post article,

    * The legislation hasn't been introduced yet; wait 'til December to see if there's a change of heart.

    * The backing for it appears to be tied towards some not-yet-introduced "Cyberspace Electronic Security Act of 1999", which includes the FBI code-cracker funding. I'd be curious to see what other provisions are intended.

    * Companies still need to get a (one-time) certification for export, so you're still not home-free.

    * They still oppose the "Security and Freedom through Encryption Act", on the odd grounds that the only people who would be safe "would be spies"...
  • Ah, the joys of rule by decree. They can always change the decree whenever they wish. Note that this is not a change in law but rather a change in regulation. Oh, joy...

    I see no lasting good news here!
  • I think we need someone to read the regulation and report how it affects free software and open source software.
    If I write a crypto program I don't intend on selling it. How weak must it be to export? Is the approval free?
    It's an act of good for netscape, i suppose.

    Atleast it's a start. :)

  • From the CNN article: "And for makers of mass-market software, such as Microsoft Corp. and IBM Corp., the rules forced companies to weaken the security in Web browsers, e-mail programs and other products. "

    The question is, did the Government actually have to get Micro$lop to weaken their security for NT in the first place? :)

  • I find this whole subject moot. There's no need to use U.S encryption. Several of the candidates for A.E.S were invented outside of America anyway.

    People outside of the U.S should use non-U.S strong cryptography, it's freely available (and generally free - PGP International and GNUPG are two examples) and at least as strong as the U.S variants.

    The only people who should ever have been inconvenienced by the export regulations are U.S-based crypto sellers. U.S and non-U.S citizens have access to strong crypto anyway.

    Does anyone really believe that a halfway intelligent criminal would not have downloaded PGP by now?
  • I think the consenses yesterday on /. was that this new "relaxation" is simply a concession on the part of the government. They know that our silly little laws aren't stopping anything from going anywhere, and are finally bowing to the pressure from all sides of the American computer industry.

    When I was in Japan a few years ago, I ordered a cheesy reseller system(because they would mail it to me and they financed over the phone). They would not send me MS office 97 Home Edition because of the encryption in MONEY! The stupid thing is, I could go buy an American version(the one the wouldn't send me) from various places throughout Asia, and not only from pirate shops.

    With the advent of incredibly secure encryption schemes that are so easy to download(PGP, et al.), American export laws are silly at best.
  • by ebenson ( 89328 ) on Thursday September 16, 1999 @11:26PM (#1677663)
    You can find the full text of the bill itself and an analysis here:

    http://www.epic.org/crypto/legislation/cesa/ [epic.org]

    It appears that 64 bit encryption will be allowed, and 128 `may be' allowed if it is designed for `end users' and does not require very much tech support, and is not being exported to the 7 `terrorist' countries.

    I also read in a transcipt of a White House briefing that Wassenaar will be modified to reflect this somehow, but it was somewhat vague...

    Something else interesting is this so called 3rd party key repository which people can optionaly deposit thier private keys for `backup' purposes. The Government of course can get access to any key this 3rd party has after getting proper `judicial authorization'. I am sure we will see alot of Government BS to try and convince people to deposit thier keys...

    --He who gives up liberty for security ends up with neither. --Benjamin Franklin
  • Close, but not quite.

    The patent on the RSA algorithm runs out precisely one year from today -- Sept 17, 2000.

    366 days and counting...

  • ...because beople have never been able to make any sense of their products anyway...
  • Well done! The misspelling was there as a reference point to identify true decypherers. As for the $3million - just doing my little bit to help... (and it was $4.3million actually.) movr pmr@
  • o yjoml oy jsd dp,yomh yp fp eoyj no;; v;omypmd jrsf nromh dvts,n;rf
  • One aspect of these relaxed regs, highlighted by Wired News [wired.com] but ignored pretty much everywhere else, is that investigators will no longer need to reveal their methods for arriving at a plaintext from a cryptotext for which they had no key. There are some scary implcations to this. Specifically, if investigators cannot be compelled to reveal how they decoded encrypted info, they could take an encrypted doc which they could positively attach to the defendant, and then present in court ANY plaintext as being its source. They could make up the foulest, nastiest, most incriminating thing in the world and claim it is the plaintext. With a decent algorithm (i.e. ANY strong algo) there is NO WAY to verify that a plaintext and cryptotext match up without the key (that's the point of encryption, for godssakes.) As the investegators cannot be made to reveal HOW they got plain from cipher, the only defense the defendant could make would be to decrypt the doc in question before the court herself, and that would require her to expose to the court her cryptosystem and key. I.E., in the end, she would be giving up the one thing that protected her. Any even worse scenario: another clause in these regs permits courts to subpeona private keys (previously considered unconstitutional, as it forces a person to incriminate herself.) If the defandant refused to do so, claiming to have forgotten the key, and the prosecution later played its dummed-plaintext trump card, she would be put in the positin of either 1) going to prison for heinous crimes she never even considered commiting or 2) admitting to perjury. This is a very-much bad situation that we, as citizens, are being put into. The NSA, agains, has designed a brilliant protocol.

"Of course power tools and alcohol don't mix. Everyone knows power tools aren't soluble in alcohol..." -- Crazy Nigel

Working...